Legal

Data Processing
Agreement

This Data Processing Agreement (“DPA”) supplements your agreement to use Settio (the “Principal Agreement”) and governs Settio’s processing of personal data on behalf of customers under Article 28 of the GDPR. A countersigned PDF of this DPA is available on request at [email protected].

Effective:18 April 2026Last updated:18 April 2026

1. Introduction

This DPA is between the customer (the “Controller”) and Settio (the “Processor”). It applies to all personal data that the Processor processes on the Controller’s behalf in connection with the Services. In the event of conflict between this DPA and the Principal Agreement, this DPA prevails for matters of data protection.

2. Definitions

Capitalised terms not defined here have the meaning given in the GDPR. “Customer Data” means personal data that the Controller (or its authorised users) submits to or generates through the Services.

3. Scope, subject matter and roles

The Processor processes Customer Data only for the purpose of providing and supporting the Services and for the duration of the Principal Agreement. The categories of data subjects, types of personal data, and processing activities are described in Annex I.

4. Processor obligations

  • Process Customer Data only on documented instructions from the Controller, including with regard to international transfers.
  • Ensure persons authorised to process Customer Data are bound by confidentiality.
  • Implement and maintain the technical and organisational measures described in Annex II.
  • Assist the Controller, taking into account the nature of processing, in fulfilling obligations under Articles 32–36 GDPR (security, breach notification, DPIAs, prior consultation).
  • Make available all information necessary to demonstrate compliance with Article 28 GDPR.

5. Subprocessors

The Controller provides general written authorisation for the Processor to engage subprocessors listed at /subprocessors. The Processor will:

  • give at least 30 days’ advance notice of any new subprocessor (by email or in-product notification);
  • allow the Controller to object on reasonable data protection grounds, in which case the parties will work in good faith to resolve the objection or terminate the affected Service;
  • impose contractual obligations on each subprocessor that are no less protective than this DPA, and remain liable for the acts and omissions of subprocessors.

6. International transfers

Where the Processor transfers Customer Data outside the EEA, the parties agree to be bound by the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, the “SCCs”), with Module Two (Controller-to-Processor) or Module Three (Processor-to-Processor) applicable as relevant. The parties’ selections in the SCCs are:

  • Clause 7 docking clause — applicable.
  • Clause 9 use of subprocessors — Option 2 (general written authorisation), with 30 days’ notice.
  • Clause 11 redress — independent dispute resolution body option not selected.
  • Clause 17 governing law — Sweden.
  • Clause 18 forum and jurisdiction — Sweden.

Where the UK GDPR applies, the parties incorporate the UK International Data Transfer Addendum to the SCCs.

7. Security measures

The Processor implements the technical and organisational measures set out in Annex II and described in our Security Overview. These may be updated, provided the overall level of security is not reduced.

8. Data subject rights and assistance

The Processor will, taking into account the nature of processing, assist the Controller by appropriate technical and organisational measures to respond to requests from data subjects. Where a data subject contacts the Processor directly, the Processor will refer them to the Controller and notify the Controller without undue delay.

9. Personal data breaches

The Processor will notify the Controller without undue delay (target: within 48 hours) after becoming aware of a personal data breach affecting Customer Data, including:

  • nature of the breach and categories of data affected;
  • likely consequences;
  • measures taken or proposed to address the breach;
  • contact details for follow-up.

10. Audits

The Processor will make available, on the Controller’s written request, summary documentation including its security policies, current audit reports (e.g. SOC 2 / ISO 27001 once available), penetration test summaries, and responses to standard security questionnaires (e.g. CAIQ). Where the Controller can show this is not sufficient, the Controller may, on reasonable advance notice and at its cost, conduct an audit limited to information and systems relevant to the processing of Customer Data.

11. Return or deletion of Customer Data

On termination of the Principal Agreement, the Processor will, at the Controller’s choice, delete or return all Customer Data within 30 days, including from backups within the standard backup rotation cycle, unless EU or member-state law requires continued storage.

Annex I — Description of processing

A. List of parties

  • Controller — the customer entity identified in the Principal Agreement.
  • Processor — Settio, contactable at [email protected].

B. Description of transfer

  • Categories of data subjects: Controller’s employees, candidates, international hires, family members relocating with them, Controller’s authorised users.
  • Categories of personal data: identification and contact data, employment data, immigration and work-permit data, address and relocation data, document content uploaded by users, usage and log data.
  • Special categories: only when explicitly required by the onboarding workflow set by the Controller (e.g. nationality, family composition, limited health data for insurance) and processed under appropriate Article 9 safeguards.
  • Frequency: continuous, for the duration of the Principal Agreement.
  • Nature of processing: hosting, storing, displaying, transmitting, organising, and analysing Customer Data to provide the Services.
  • Purpose: providing onboarding, compliance, and audit-trail functionality to the Controller.
  • Retention: as set out in the Privacy Policy and the Principal Agreement.

Annex II — Technical and organisational measures

  • Encryption: TLS 1.2+ in transit; AES-256 at rest; encrypted backups; KMS-managed keys with rotation.
  • Access control: SSO and MFA for admin tooling, role-based access, least privilege, quarterly access reviews, immediate offboarding.
  • Network: segregated environments, private networking for data plane, WAF, DDoS protections.
  • Application security: secure SDLC, code review, dependency scanning, static analysis, regular penetration testing.
  • Logging & monitoring: centralised logs, tamper-evident audit trails, alerting on anomalous activity.
  • Resilience: high-availability EU hosting, automated backups, tested restore procedures, documented BCP / DR.
  • Personnel: background checks where lawful, confidentiality obligations, annual security & privacy training.
  • Incident response: documented runbooks, 24-hour internal triage target, breach notification within 48 hours.
  • Vendor management: documented subprocessor reviews, contractual DPAs with each subprocessor.

Need a signed PDF?

Email [email protected] and we’ll send a countersignable copy of this DPA, including the SCCs and the UK Addendum where relevant.

Need something more for your procurement review?

Email [email protected] for our DPA, security questionnaire responses, subprocessor list, or to request a custom audit-ready summary.

Visit Trust CenterTalk to us